One of the main reasons that proponents of VPNs use to encourage the use of VPNs is that it provides you privacy from your ISP tracking you. No-one really every explains what this means, how your ISP may be tracking you, and why it’s bad though. Unfortunately, as much as you may hope that the threat of ISP tracking is overhyped, it’s a very real issue and it has affected users across the globe.
How can ISPs track you and what data can it get?
All internet users have to purchase an internet connection from an Internet Service Provider, or ISP. This means that all of your internet traffic goes through a single company. Your ISP can therefore monitor, log, analyse, and monetize every action you take on the internet. It can see every site and page your browse to, the usernames and passwords you enter, and anything you search for. Your ISP can even modify the content of any web request or response you send and receive, meaning you can’t be sure you’re seeing the web page you wanted. The only protection that you can have from this possibility is encryption.
Tip: Encryption is a process of scrambling data with an encryption cipher and encryption key so that it can only be decrypted and read by someone with the corresponding key. Encryption also prevents anyone else from being able to modify your internet traffic.
HTTPS or HyperText Transport Protocol Secure uses encryption to secure the content of your internet communications. It prevents your ISP from being able to read the data as the data is encrypted and your ISP doesn’t have the decryption key. Due to how HTTPS works and the design of other protocols such as DNS, it is still possible for your ISP to track what websites you browse to. HTTPS does, however, stop your ISP from being able to see specific web pages you access, any data you enter, and stops it from being able to modify the content of the web page.
VPNs take this a step further and tunnel all of your internet traffic through a secure connection to a VPN server, meaning your ISP can only see you sending data to your VPN provider. The privacy protection that a VPN provides stops your ISP from being able to track your internet usage and prevents your ISP from being able to modify the code or inject adverts into any website you visit.
Examples of ISPs tracking and injecting data
In 2007 Ars Technica reported that US ISP Comcast was found to be monitoring the activity of its users. It was also quietly co-opting its users into sending disconnect commands to prevent people from using Bit Torrent on its network. There was even evidence that Comcast was sending these disconnect commands to users on other service provider networks.
Tip: Torrenting is a common target of ISP tools, as it can consistently use a very large amount of bandwidth.
In 2011, The Atlantic reported that the recently overthrown president of Tunisia had recently ordered all Tunisian ISPs to inject a script that collected the username and password of everyone signing into Facebook within Tunisia. The government then used these credentials to delete Facebook pages and accounts that were involved in the protests against the president’s rule. This countrywide attack led to Facebook enabling HTTPS for Tunisian, then world-wide users, as encryption prevents this sort of script injection and credential stealing.
In 2013 Ars Technica reported that the advertising firm R66T (pronounced Route 66) was being contracted by the US ISP CMA to inject adverts into the internet traffic of its internet users.
In 2019 Appuals reported that the state-owned Indian ISP BSNL was injecting ads in the internet traffic of its users. Some of these ads were found to be actively malicious, serving scams and malware to unsuspecting users.